Passbolt in Docker on Synology NAS not working after docker pull

Installation Issues
1

I have been running passbolt ce fine for at a couple of month but something went wrong after doing a docker pull and the “sudo docker-compose up --force-recreate --build passbolt”

Im running on Synology NAS with composer:

passboltdb:
container_name: passboltdb
image: mariadb:10.3
#image : mariadb:10.3.20
restart: always
environment:
MYSQL_RANDOM_ROOT_PASSWORD: “true”
MYSQL_DATABASE: “passbolt”
MYSQL_USER: “XXXXXXXXXXXXXXXXXXXXXX”
MYSQL_PASSWORD: “XXXXXXXXXXXXXXXXXXXXXX”
volumes:
- /volume2/docker/passbolt/db:/var/lib/mysql rw
networks:
- passbolt

passbolt:
container_name: passbolt
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- passboltdb
environment:
APP_FULL_BASE_URL: https://passbolt.davra.dk
DATASOURCES_DEFAULT_HOST: “passboltdb”
DATASOURCES_DEFAULT_USERNAME: “XXXXXXXXXXXXXXXXXXXXXX”
DATASOURCES_DEFAULT_PASSWORD: “XXXXXXXXXXXXXXXXXXXXXX”
DATASOURCES_DEFAULT_DATABASE: “passbolt”

   EMAIL_TRANSPORT_DEFAULT_HOST: "smtp.gmail.com"
   EMAIL_TRANSPORT_DEFAULT_PORT: "587"
   EMAIL_TRANSPORT_DEFAULT_USERNAME: "XXXXXXXXXXXXXXXXXXXXXX"
   EMAIL_TRANSPORT_DEFAULT_PASSWORD: "XXXXXXXXXXXXXXXXXXXXXX"
   EMAIL_TRANSPORT_DEFAULT_TLS: "true"
 volumes:
   - /volume2/docker/passbolt/gpg:/etc/passbolt/gpg rw
   - /volume2/docker/passbolt/jwt_volume:/etc/passbolt/jwt rw
   - /volume2/docker/passbolt/images:/usr/share/php/passbolt/webroot/img/public rw
 command: ["/usr/bin/wait-for.sh", "-t", "0", "passboltdb:3306", "--", "/docker-entrypoint.sh"]
 ports:
   - 8088:80
 networks:
   - passbolt

healthcheck

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.4.30.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set
[HELP] Create a key, export it and add the fingerprint to config/passbolt.php
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” root | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” root
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.

Application configuration

[FAIL] This installation is not up to date. Currently using 3.7.3 and it should be v3.8.0.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

[FAIL] 5 error(s) found. Hang in there!

How do I fix the problem?
Best regards Jakob

2

Hi @jakobarvad Welcome to the forum!

The healthcheck has [HELP] lines with suggested commands to fix the problem. However, they are not written with the Docker container context in mind. So, create an interactive command line interface with your container, and then use the suggested commands to fix your install.

See Passbolt Help | Troubleshoot Docker

After the rebuild what appears to have happened is the container now lacks the keys it needs to operate properly.

3

Please check this comment: Healthcheck inconsisten · Issue #126 · passbolt/passbolt_docker · GitHub

4

I should start with “[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” root | grep -i -B 2 ‘SERVER_KEY_EMAIL’”
I think I have changed the email adresse after setting up passbolt. Should I just try to change it back or can I some how use the new email adresse?

Br Jakob

5

You could use the new one. This will result in a prompt to all users regarding the change. If you have the old server keys with the old address, they could be used and would then result in no prompt regarding a change of server key.

But either way keys are needed for operation. It probably comes down to whatever in your view is easiest or acceptable for your use case.

6

I still have thise errors in healthcheck I have no idea what to do. I have tried
www-data@43fc4f94ea09:/usr/share/php/passbolt$ /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey
_private.asc” www-data
gpg: key 42E3AE2521DC6827: “Passbolt default user passbolt@yourdomain.com” not changed
gpg: key 42E3AE2521DC6827: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
www-data@43fc4f94ea09:/usr/share/php/passbolt$

Healthcheck
www-data@43fc4f94ea09:/usr/share/php/passbolt$ ./bin/cake passbolt healthcheck

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.4.30.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.davra.dk
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set
[HELP] Create a key, export it and add the fingerprint to config/passbolt.php
[HELP] See. Passbolt Help | Installation
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. Passbolt Help | Installation
[FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.

Application configuration

[FAIL] This installation is not up to date. Currently using 3.7.3 and it should be v3.8.1.
[HELP] See. Passbolt Help | Update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

[FAIL] 5 error(s) found. Hang in there!

www-data@43fc4f94ea09:/usr/share/php/passbolt$

I can now open the webpage but prompt for email but none is knowned

Br Jakob

7

Try this which helps the script use environment variables. If it doesn’t work we can work to get an updated command.

su -s /bin/bash -c "source /etc/environment; ./bin/cake passbolt healthcheck" www-data

8

I get this:
root@43fc4f94ea09:/usr/share/php/passbolt# su -s /bin/bash -c “source /etc/environment; ./bin/cake passbolt healthcheck” www-data

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.4.30.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.davra.dk
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[FAIL] This installation is not up to date. Currently using 3.7.3 and it should be v3.8.1.
[HELP] See. Passbolt Help | Update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

[FAIL] 1 error(s) found. Hang in there!

root@43fc4f94ea09:/usr/share/php/passbolt#

9

This is a good healthcheck! If you try to put in your email for recovery but it does not know it, this would normally mean the database does not have the record.

You could next try to verify the email address exists in the users table username field, and make sure the active field is set to 1.

10

MYSQL:
MariaDB [passbolt]> show tables;
±----------------------+
| Tables_in_passbolt |
±----------------------+
| account_settings |
| action_logs |
| actions |
| authentication_tokens |
| avatars |
| comments |
| email_queue |
| entities_history |
| favorites |
| gpgkeys |
| groups |
| groups_users |
| organization_settings |
| permissions |
| permissions_history |
| phinxlog |
| profiles |
| resource_types |
| resources |
| roles |
| secret_accesses |
| secrets |
| secrets_history |
| transfers |
| user_agents |
| users |
±----------------------+
26 rows in set (0.000 sec)

MariaDB [passbolt]> select * from users;
Empty set (0.000 sec)

11

billede
billede598×649 23.4 KB

12

With no users at all listed in the database, I am thinking a migration of the old db to the new Docker is needed: Passbolt Help | Migrate an existing Passbolt CE to a new Docker